<html>
<head><meta charset="utf-8"><title>RUSTSEC-2019-0011: memoffset · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html">RUSTSEC-2019-0011: memoffset</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="171490722"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171490722" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171490722">(Jul 23 2019 at 05:26)</a>:</h4>
<p>I thought I'd split this advisory off into its own topic because it continues to be a particularly interesting case study</p>



<a name="171490733"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171490733" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171490733">(Jul 23 2019 at 05:27)</a>:</h4>
<p>it's one of those cases where the initial severity was underestimated, but the practical exploitability was low... and a lot of people deemed it noise</p>



<a name="171490743"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171490743" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171490743">(Jul 23 2019 at 05:27)</a>:</h4>
<p>based on the number of people who pinged me about it, it was quite noisy, and there was not a particularly clear path forward for a lot of crates which rely on it as a dependency</p>



<a name="171490840"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171490840" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171490840">(Jul 23 2019 at 05:29)</a>:</h4>
<p>I got some pings about adding some kind of exploitability metrics that can be filtered by, but I wonder if this advisory is a good use case for a more fine-grained static analysis of if particular applications are actually impacted</p>



<a name="171490889"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171490889" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171490889">(Jul 23 2019 at 05:30)</a>:</h4>
<p>there are definitely a few existing tools that could potentially be tapped for that purpose</p>



<a name="171490929"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171490929" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171490929">(Jul 23 2019 at 05:31)</a>:</h4>
<p>but in the meantime the exploitability jumped a few times as it was further scrutinized... to memory exposure and then RCE</p>



<a name="171491015"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171491015" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171491015">(Jul 23 2019 at 05:33)</a>:</h4>
<p>in the code at my workplace we ended up ignoring it because there's no path to update (crossbeam-deque is required by tokio, and uses memoffset 0.2 or something). this is far enough removed that i have no clue if the code in question is actually vulnerable, since almost certainly that depends on how it's being used in crossbeam-deque/tokio.</p>



<a name="171491084"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171491084" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171491084">(Jul 23 2019 at 05:34)</a>:</h4>
<p>I just recommended <code>--ignore</code> to a few people</p>



<a name="171491091"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171491091" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171491091">(Jul 23 2019 at 05:35)</a>:</h4>
<p>good thing I shipped that last week <span aria-label="grimacing" class="emoji emoji-1f62c" role="img" title="grimacing">:grimacing:</span></p>



<a name="171491556"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171491556" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Thom Chiovoloni <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171491556">(Jul 23 2019 at 05:46)</a>:</h4>
<p>It's unfortunate. Some digging shows that the use in crossbeam is at least probably not vulnerable to RCE (which would be my largest concern), since it isn't used on a field with a custom deref coersion. still though, it's hard to evaluate an issue like this used in transitive dependencies</p>



<a name="171502274"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171502274" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171502274">(Jul 23 2019 at 09:20)</a>:</h4>
<p>yeah, I bumped the version in crossbeam without having to change anything, so there was no deref coercion involved at least in latest git crossbeam</p>



<a name="171502277"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171502277" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171502277">(Jul 23 2019 at 09:20)</a>:</h4>
<p>now this is "just" waiting on <a href="https://github.com/crossbeam-rs/crossbeam/issues/401" target="_blank" title="https://github.com/crossbeam-rs/crossbeam/issues/401">https://github.com/crossbeam-rs/crossbeam/issues/401</a></p>



<a name="171502368"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171502368" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171502368">(Jul 23 2019 at 09:22)</a>:</h4>
<p>I guess the more general question is: <code>unsafe</code> can be "sealed" behind an sbatraction; if an API is unsound (like <code>memoffset</code>) but a project only uses it transitively through another crate that does not "exploit" the unsafety... how should that be handled? We can have an advisory for the unsound crate, and people should bump if they depend on it directly, but there is little they can do about transitive dependencies and in many cases there actually is no harm done by using the old version.</p>



<a name="171539181"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171539181" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171539181">(Jul 23 2019 at 17:27)</a>:</h4>
<blockquote>
<p>in many cases there actually is no harm done by using the old version</p>
</blockquote>
<p>Exploitability analysis is ridiculously hard. It's usually easier to just get rid of the potentially problematic thing than to analyze if it's exploitable or not. <br>
There are tons of cautionary tales about people looking at a known-broken system but deeming it not exploitable, and then someone else coming along and exploiting the hell out of it. See e.g. the case of M$ and MD5</p>



<a name="171551800"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171551800" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171551800">(Jul 23 2019 at 19:48)</a>:</h4>
<p>fair</p>



<a name="171551821"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171551821" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171551821">(Jul 23 2019 at 19:49)</a>:</h4>
<p>OTOH, the "uninit drop" soundness hole in memoffset is fixed by adding an extra check</p>



<a name="171551858"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171551858" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171551858">(Jul 23 2019 at 19:49)</a>:</h4>
<p>so if code just compiles after adding that check, it already didnt exploit the hole before (on that platform, with the same features)</p>



<a name="171551965"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171551965" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171551965">(Jul 23 2019 at 19:50)</a>:</h4>
<p>and looking at <a href="https://github.com/crossbeam-rs/crossbeam/issues/401" target="_blank" title="https://github.com/crossbeam-rs/crossbeam/issues/401">https://github.com/crossbeam-rs/crossbeam/issues/401</a> I feel a bit bad, in particular breaking people's CI until crossbeam can make a new release seems a bit over-the-top (I had no idea people run <code>cargo audit</code> on CI)</p>



<a name="171553560"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171553560" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171553560">(Jul 23 2019 at 20:09)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> the one bit of automated exploitability analysis we could potentially do is checking if any of the affected codepaths are actually used by the app in question</p>



<a name="171553637"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171553637" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171553637">(Jul 23 2019 at 20:10)</a>:</h4>
<p>via call graph analysis</p>



<a name="171554352"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171554352" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171554352">(Jul 23 2019 at 20:19)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> people only run it on CI because there is no proper security update mechanism in Cargo. CI is not the right way to deal with this. But that's a story for another time.</p>



<a name="171615105"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011%3A%20memoffset/near/171615105" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/RUSTSEC-2019-0011.3A.20memoffset.html#171615105">(Jul 24 2019 at 15:19)</a>:</h4>
<p><a href="https://github.com/tokio-rs/tokio/issues/1345" target="_blank" title="https://github.com/tokio-rs/tokio/issues/1345">https://github.com/tokio-rs/tokio/issues/1345</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>